Twitter's Bug - Importing contacts (OAuth Flaw)

Introduction About Twitter's OAuth Integrations

Twitter is using many third party OAuth integrations like Gmail, AOL, Outlook, Yahoo, etc. These third party integrations are used so that they can provide an easy way for their users to Import Contacts from these sites.
eg. If an user is having many email contacts but user is new to twitter so directly importing contacts from the email service will find all his/her friends on twitter.

The Story Of The Hack

Outlook's OAuth used on twitter was deprecated. You can read about OAuth 2.0 here.

Note the redirect_uri parameter. It is set to https%3A%2F%2Ftwitter.com%2Finvitations%2Foauth_landing.
Now, we can change redirect_uri to any twitter's url.
eg. any *.twitter.com was accepted as it was using a deprecated version.

Also, make note of response_type=code. It states that twitter has implemented a Server-side OAuth flow. After getting code twitter makes a request to server and collects access_token. Using this access_token twitter imports contacts from Outlook.

So, my job was to steal code. Attack vector to steal code is via referrer header. This was the most hardest job ever. As twitter uses a link shim t.co.
eg. When user posts any link on twitter then it gets converted to some link like http://t.co/anything.

When user visits the http://t.co/anything then it redirects to the site but wait ...
It removes off referrer header from the request. So, we cannot use it to leak code via referrer.

I was like

Then I noticed that any *.twitter.com is allowed. So, it was my turn to flip the game over twitter. So, I found a page in OAuth implementation which can be used to leak code via referrer.

Game starts now ...!

I created an app. Now, I implemented a Login via twitter on my own site. So, when user clicks Login via twitter then OAuth token gets created. Simply, it looks like

When user presses Cancel then it goes to this page. And we can use this end point to leak code.

Now, I researched more and found that once oauth_token has been cancelled, it can still be used to leak code (Just sending it to another user.)
eg.https://api.twitter.com/oauth/authorize?oauth_token=1BXYoJbg57y8iPjuOn1MHI8HTFdXubvc